Site Hacked - Google results takes the user to some hacked page Topic is solved

[ourequation]

My site is www.

Code: Select all

examsample.com

, currently on version 3.5 I got an alert from google about site hack. If i type directly my site name it downloads my site. However when it comes from search result it takes the user to a viagara site. Seeing various help i did ran FPA Tool and below are the results. Any help would really be appreciated

Joomla! Instance :: Joomla! 3.5.0-Stable (Unicorn) 21-March-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.5
Configuration Options :: Offline: false | SEF: true | SEF Suffix: true | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: true | dbConnection Type: mysqli | PHP Supports J! 3.5.0: Yes | Database Supports J! 3.5.0: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-896.16.1.lve1.4.51.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 4881.41 GiB |

PHP Configuration :: Version: 5.4.19 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

Database Configuration :: Version: 5.5.43-37.2-log (Client:5.5.19) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 81.16 MiB | #of Tables:  76

PHP Extensions :: Core (5.4.19) | date (5.4.19) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.4.19) | pspell () | Reflection ($Id: 6c4d8062369898a397e4b128348042f5c01b4427 $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 10437128 | Threads: 35 | Questions: 10217708775 | Slow queries: 22075 | Opens: 361289544 | Flush tables: 19 | Open tables: 10000 | Queries per second avg: 978.977 |

Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.0.0) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 |
3rd Party:: JMap (3.8) 1 | COM_SPUPGRADE (4.1.1) ? |

Modules :: SITE ::
Core :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
3rd Party:: JSitemap module (3.8) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
3rd Party:: JSitemap Quickicons (3.8) 1 |

Libraries :: SITE ::
Core ::
3rd Party::

Plugins :: SITE ::
Core :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_finder_categories (3.0.0) 0 | plg_finder_contacts (3.0.0) 0 | plg_finder_content (3.0.0) 0 | plg_finder_newsfeeds (3.0.0) 0 | plg_finder_tags (3.0.0) 0 | plg_installer_webinstaller (1.1.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_search_categories (3.0.0) 0 | plg_search_contacts (3.0.0) 0 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 0 | plg_search_tags (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 |
3rd Party:: Content - JSitemap Pingomatic (3.8) 1 | plg_editors_codemirror (5.12) 1 | plg_editors_tinymce (4.3.3) 1 | System - JSitemap utilities (3.8) 1 |

Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

[gws]

You have probably been hacked, joomla 3.5.0 is old and vulnerable you must update to the latest version 3.9.1. Try myjoomla.com the first scan is free, to determine what is the problem with your site.

[leolam]

He has been hacked https://sitecheck.sucuri.net/results/www.examsample.com

I would hire Phil Taylor from myjoomla.com to restore your site. All the methods mentioned on these forums take ages of time. Since this is again of a GoDaddy server (every GoDaddy server get's hacked) I strongly advise you to move away from Godaddy once your site is repaired and you have learned a lesson. Always keep Joomla and your extensions Up-To-Date

Also and mea culpa.... What a crap! Version: 5.4.19 | PHP API: cgi-fcgi | Session Path Writable: No PHP5.4? Excuse me? What on earth you drive a Joomla 3.x site on PHP5.4? You should run on PHP7.1 the least. Get away from Godaddy!

Leo

[Webdongle]

If you can afford professional help then myjoomla.com and pay a professional to monitor the site. But if you can't afford it then spend the time fixing it viewtopic.php?f=714&t=946026

But definitely move from gddy

[leolam]

But definitely move from gddy

Kevin, wrong spelling 'nddy'

Leo

[Webdongle]

Yep because I don't want to give them a proper mention.

[ourequation]

Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. Can you advice me on affordable hosting services where I can host joomla.I know this is a different topic but since it originated from hack info i am posting it over here.

[annahersh]

Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. Can you advice me on affordable hosting services where I can host joomla.I know this is a different topic but since it originated from hack info i am posting it over here.

If your website is with Godaddy, all is well, you don't need to change. I have 8 Joomla sites at that host for 11 years and none have ever been hacked.

Shared hosting will always have loopholes, regardless of the host. Just follow the rules of website maintenance "backup, backup , backup" periodically and keep all software up to date.

[Webdongle]

Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. ...

How did you remove it ?

[Webdongle]

... Just follow the rules of website maintenance "backup, backup , backup" periodically and keep all software up to date.

Hacks are placed on a server long before they are noticed. Backups can contain the original hack so are often useless when a server has been compromised.

[ourequation]

updated htaccess , config.php, component.php and also deleted some malacious code on the webserver

[ourequation]

But i must tell you, webdongle, leo you guys are great asset for joomla commmunity. Your mere presence gives a lot of confidence to debug the code. Hope some day i can give the community back what I learn.

[annahersh]

Hacks are placed on a server long before they are noticed. Backups can contain the original hack so are often useless when a server has been compromised.

You further confirm my logic that the host is not at all relevant. All shared hosting environments are vulnerable and having a periodic backup is always sensible.

Hackers tend to seek dormant sites, especially those with outdated frameworks and server side applications. Godaddy provides excellent tools to change PHP version and configure accordingly, and they also give tips on what is suitable for the user. I haven't yet found a reason to quit them.

gd-config.jpg

gd-php-selector.jpg

[ourequation]

annahersh

I have been godaddy for last 10 years hosting various sites on them. Since my site was hacked i have been on a negative experience.

Here are few reasons I am now moving away from Godaddy.

1. You are correct that they provide various php options. However no matter how many hosting months you have you still have to buy new hosting if you want to upgrade it 7.0 else you remain on old server which has php 5.8 or 5.9. And more over in new server you have to manually configure everything. If i have to do it then why not try another host which at same rate provides SSL certificate as well and backups.

I had asked do you take regular backups.
The answer was no. I was surprised.

Anyways there are two sides of the coin. Currently your pleased customer of godaddy and I am not... Lets leave it here and enjoy.. But thanks for being so supportive in this forum.

[leolam]

Godaddy provides excellent tools to change PHP version and configure accordingly, and they also give tips on what is suitable for the user.

Godaddy does not give tips....Since when do they provide excellent tools in their crooked control panel? For every fart you let go they ask money. It is not for nothing that Godaddy.com (you might remember that site which was bought by GD to get rid of it) was so huge and popular. I have only 100% bad experiences for our users and thankfully we have managed to move all away from this crooked comany (using a certain person's favorite way of expression since they fit well together)

Leo

[Webdongle]

... Your mere presence gives a lot of confidence to debug the code. ...

Then your site is still hacked.

http://google.com/search?q=godaddy+hacked